I have about 20,000 matching events when I do a search for a specific term. Piping to geoip limit my results to 2,724 events, and 998 events with location information. What is going on here? Any limits I need to change? Any insight appreciated.
scdpantidepressantskills sc_status="200"
Data shows from Jan - Dec
vs
scdpantidepressantskills sc_status="200" | geoip c_ip
Only Nov - Dec Data appears
The answer by ziegfried in this post was helpful:
http://splunk-base.splunk.com/answers/37105/geoip-search-results-not-correct
In my case I added "stats count as c_ip" (my ip field was c_ip) to agggregate the counts before piping to geoip to reduce the results to within the internal limit. The end result has over 50,000 matching events with location information.
I'm seeing the same issue and have dedup my src_ip which provides 3000 unique ips. running geoip src_ip provides only approximately the first 1000 results. What config change needs to occur to process all?
Thanks
Did you try deduping the ip field before piping it out to c_ip?
Like : scdpantidepressantskills sc_status="200" | dedup c_ip | geoip c_ip
Your results are probably pulling up duplicates of ips.
Deduping reduces it a bit, but I was able to increase the limit to no more than 10000 events in the limits.conf